Doing a hash search

(imported topic written by jpeppers91)

I have a list of hashes and I need to query our environement for these hashes. Is there a way in using the sha1 to query for the hashes?

(imported comment written by NoahSalzman)

Q: lines of file “/Users/noah/sha1.txt”

A: 3b5d0f45ad5655638434b1f3c249a204b16cc5da

A: 3f48714a67dba6f7385121fb640a2a06792cd5af

A: 378322bd2a3c1e41fc9c9892c5d0da7b583dd6c0

Q: exists files whose (sha1 of it = “asdf”) of folder “/Users/noah”

A: False

Q: exists files whose (sha1 of it = “3b5d0f45ad5655638434b1f3c249a204b16cc5da”) of folder “/Users/noah”

A: True

Q: sha1s of files of folder “/Users/noah”

A: 378322bd2a3c1e41fc9c9892c5d0da7b583dd6c0

A: 3b5d0f45ad5655638434b1f3c249a204b16cc5da

A: 3f48714a67dba6f7385121fb640a2a06792cd5af

A: da39a3ee5e6b4b0d3255bfef95601890afd80709

A: ca099b97e53c31df78495a8710eb333a4b874c95

A: dfa539e5dc10d11fd5d41a9694fd056c49a01dbe

Q: elements of intersection of (set of (sha1s of files of folder “/Users/noah”); set of (lines of file “/Users/noah/sha1.txt”))

A: 378322bd2a3c1e41fc9c9892c5d0da7b583dd6c0

A: 3b5d0f45ad5655638434b1f3c249a204b16cc5da

A: 3f48714a67dba6f7385121fb640a2a06792cd5af

(imported comment written by jpeppers91)

If I say exists files whose (sha1 of it = “asdf”) of folder c:" will that only look at the root of c:\ or will it traverse the entire structure.

(imported comment written by NoahSalzman)

You are looking for the “descendants of folder” syntax.

http://forum.bigfix.com/viewtopic.php?id=6234

Note the important warning about the high load this can put on an endpoint.

(imported comment written by jpeppers91)

This is what I cam up with…

exists (sha1 of it = “803cacd1008bf296ece8dcebb869808273c9800b”) of descendants of folder “C:”

(imported comment written by amagewick91)

When I try this, I get “True” no matter what Sha1 I put in…

(imported comment written by jpeppers91)

Darn…

(imported comment written by NoahSalzman)

You want:

files whose (sha1 of it = “092ad2ed71b940c95e0caf6b3142caa4eab09dc7”) of descendant folders of folder “c:”

I think this may skip the root folder itself.

Also, did I mention that searching your whole hard drive is a bad idea? You really should target this at specific folders.

(imported comment written by jpeppers91)

yeah, the problem is we don’t know where the files are located…